[rt-devel] canonicalising WebExternalAuth

seph seph at commerceflow.com
Tue May 28 03:53:34 EDT 2002 

I just started seriously hacking an RT to use either cert based auth,
or password auth. (via WebExternalAuth and apache) In doing so, I
discovered a couple things that bring me to needing a new feature in rt.

mod_ssl passes cert information to cgi programs really nastily. I
could only come up with 2 ways of getting information to the cgi
programs (perhaps complicated by my need for alternative basic auth)

  With a lot of kludging mod_ssl can dump the cert's subject into
  REMOTE_USER, but this is a horrible bit of information to use (it's
  the full LDAP string including O, OU, CN, etc)

  with much less kludging, mod_ssl will set a bunch of cert specific
  variables based on what's in the cert. The most useful looks like
  it'll be SSL_CLIENT_S_DN_Email, but I imagine that's site
  dependent. and no, I was unable to get mod_setenv to be useful

My conclusion is that my life would be great if I could set
WebExternalAuth and create an equivalent to CanonicalizeAddress that
worked on the apache variables. In my case, I'd have
WebCanonicalizeAddress return either REMOTE_USER or
SSL_CLIENT_S_DN_Email depending on which is defined, and along the way
to massage the domain names a little.

I've included my patch, though I'm ashamed to admit it's untested. It
probably won't get tested till the other person I'm working with
installs a fresh rt. But it simple enough, I figure it'll work. And
since I'm sure folk are wondering, I've also included the snippet from
my apache.conf file that does the dual auth bit.

comments are welcome.

seph

-------------- next part --------------
A non-text attachment was scrubbed...
Name: canonicalizeweb.patch
Type: text/x-patch
Size: 1461 bytes
Desc: not available
Url : http://pallas.eruditorum.org/pipermail/rt-devel/attachments/20020528/006e2daa/canonicalizeweb.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: apache.conf-dual
Type: application/octet-stream
Size: 891 bytes
Desc: not available
Url : http://pallas.eruditorum.org/pipermail/rt-devel/attachments/20020528/006e2daa/apache.obj
-------------- next part --------------

More information about the Rt-devel mailing list